OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Daniel Ahlberg (aliz_at_gentoo.org)
Date: Wed Aug 14 2002 - 04:15:25 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - - --------------------------------------------------------------------
    GENTOO LINUX SECURITY ANNOUNCEMENT
    - - --------------------------------------------------------------------

    PACKAGE :xinetd
    SUMMARY :pipe exposure
    DATE :2002-08-14 08:40 UTC

    - - --------------------------------------------------------------------

    OVERVIEW

    File descriptors introduced in 2.3.4 can be used to crash xinetd
    resulting in a denial of service.

    DETAIL

    Solar Designer found a vulnerability in xinetd, a replacement for the
    BSD derived inetd. File descriptors for the signal pipe introduced in
    version 2.3.4 are leaked into services started from xinetd. The
    descriptors could be used to talk to xinetd resulting in crashing it
    entirely. This is usually called a denial of service.

    SOLUTION

    It is recommended that all Gentoo Linux users who are running
    sys-apps/xinetd-2.3.5 and earlier update their systems as follows.

    emerge rsync
    emerge xinetd
    emerge clean

    xinetd-2.3.7 is currently only available for x86. Sparc and ppc will
    be available when it's been tested on these archs.

    - - --------------------------------------------------------------------
    Daniel Ahlberg
    alizgentoo.org
    - - --------------------------------------------------------------------
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQE9Wh+4fT7nyhUpoZMRAmdAAJ0a+G6wsTrpxl/KLH8A03XXDfQgHACggUqw
    1xtIcSrLOLwAyv9aain+tDk=
    =GYvc
    -----END PGP SIGNATURE-----